Improve EndpointTypes:

- Create two derived classes for EndpointType: SinkType and SourceType. - EndpointTypes don't use a `newtype`, but rather extend string, with their characteristic predicate replacing the current getDescription predicate.
2026-05-25 00:27:09 +02:00 · 2023-02-22 17:08:39 -08:00
parent 91109c826d
commit 10b81eebb7
4 changed files with 36 additions and 26 deletions
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
@@ -109,7 +109,7 @@ abstract class AtmConfig extends TaintTracking::Configuration {
    // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type.
    exists(float confidence |
      confidence >= result.mediumConfidence() and
-      result.hasImplications(any(NegativeType negative), true, confidence)
+      result.hasImplications(any(NegativeSinkType negative), true, confidence)
    )
    or
    // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type,
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
@@ -451,7 +451,7 @@ abstract private class NotASinkCharacteristic extends EndpointCharacteristic {
  override predicate hasImplications(
    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
  ) {
-    endpointClass instanceof NegativeType and
+    endpointClass instanceof NegativeSinkType and
    isPositiveIndicator = true and
    confidence = highConfidence()
  }
@@ -470,7 +470,7 @@ abstract class LikelyNotASinkCharacteristic extends EndpointCharacteristic {
  override predicate hasImplications(
    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
  ) {
-    endpointClass instanceof NegativeType and
+    endpointClass instanceof NegativeSinkType and
    isPositiveIndicator = true and
    confidence = mediumConfidence()
  }
@@ -595,7 +595,7 @@ abstract private class StandardEndpointFilterCharacteristic extends EndpointFilt
  override predicate hasImplications(
    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
  ) {
-    endpointClass instanceof NegativeType and
+    endpointClass instanceof NegativeSinkType and
    isPositiveIndicator = true and
    confidence = mediumConfidence()
  }
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll
@@ -5,16 +5,16 @@
 * only predict classes defined within this file. This file is the source of truth for the integer
 * representation of each of these classes.
 */
-newtype TEndpointType =
-  TNegativeType() or
-  TSqlSinkType() or
-  TTaintedPathSinkType() or
-  TRequestForgerySinkType() or
-  TOtherMaDSinkType()

-/** A class that can be predicted by endpoint scoring models. */
-abstract class EndpointType extends TEndpointType {
-  abstract string getDescription();
+/** A class that can be predicted by a classifier. */
+abstract class EndpointType extends string {
+  /**
+   * Holds when the string matches the name of the sink / source type.
+   */
+  bindingset[this]
+  EndpointType() { any() }
+
+  final string getDescription() { result = this }

  /**
   * Gets the integer representation of this endpoint type. This integer representation specifies the class number
@@ -29,13 +29,23 @@ abstract class EndpointType extends TEndpointType {
   * See https://github.com/github/codeql/blob/44213f0144fdd54bb679ca48d68b28dcf820f7a8/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll#LL353C11-L357C31
   */
  abstract string getKind();
+}

-  string toString() { result = getDescription() }
+/** A class for sink types that can be predicted by a classifier. */
+abstract class SinkType extends EndpointType {
+  bindingset[this]
+  SinkType() { any() }
+}
+
+/** A class for source types that can be predicted by a classifier. */
+abstract class SourceType extends EndpointType {
+  bindingset[this]
+  SourceType() { any() }
 }

 /** The `Negative` class for non-sinks. */
-class NegativeType extends EndpointType, TNegativeType {
-  override string getDescription() { result = "non-sink" }
+class NegativeSinkType extends SinkType {
+  NegativeSinkType() { this = "non-sink" }

  override int getEncoding() { result = 0 }

@@ -43,8 +53,8 @@ class NegativeType extends EndpointType, TNegativeType {
 }

 /** All sinks relevant to the SQL injection query */
-class SqlSinkType extends EndpointType, TSqlSinkType {
-  override string getDescription() { result = "sql injection sink" }
+class SqlSinkType extends SinkType {
+  SqlSinkType() { this = "sql injection sink" }

  override int getEncoding() { result = 1 }

@@ -52,8 +62,8 @@ class SqlSinkType extends EndpointType, TSqlSinkType {
 }

 /** All sinks relevant to the tainted path injection query. */
-class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
-  override string getDescription() { result = "path injection sink" }
+class TaintedPathSinkType extends SinkType {
+  TaintedPathSinkType() { this = "path injection sink" }

  override int getEncoding() { result = 2 }

@@ -61,8 +71,8 @@ class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
 }

 /** All sinks relevant to the SSRF query. */
-class RequestForgerySinkType extends EndpointType, TRequestForgerySinkType {
-  override string getDescription() { result = "ssrf sink" }
+class RequestForgerySinkType extends SinkType {
+  RequestForgerySinkType() { this = "ssrf sink" }

  override int getEncoding() { result = 3 }

@@ -70,8 +80,8 @@ class RequestForgerySinkType extends EndpointType, TRequestForgerySinkType {
 }

 /** Other sinks modeled by a MaD `kind` but not belonging to any of the existing sink types. */
-class OtherMaDSinkType extends EndpointType, TOtherMaDSinkType {
-  override string getDescription() { result = "other sink" }
+class OtherMaDSinkType extends SinkType {
+  OtherMaDSinkType() { this = "other sink" }

  override int getEncoding() { result = 4 }

--- a/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql
+++ b/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql
@@ -31,7 +31,7 @@ from
 where
  characteristic.appliesToEndpoint(endpoint) and
  confidence >= characteristic.highConfidence() and
-  characteristic.hasImplications(any(NegativeType negative), true, confidence) and
+  characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and
  // Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
  // certain about in the prompt.
  not EndpointCharacteristics::erroneousEndpoints(endpoint, _, _, _, _) and
@@ -47,7 +47,7 @@ where
  |
    characteristic2.appliesToEndpoint(endpoint) and
    confidence2 >= characteristic2.maximalConfidence() and
-    not positiveType instanceof NegativeType and
+    not positiveType instanceof NegativeSinkType and
    characteristic2.hasImplications(positiveType, true, confidence2)
  ) and
  endpoint = getSampleFromSampleRate(0.01) and